Tomorrow's passwords: edible, injectable, unbreakable, Orwellian

Iain Gillespie

The days of alphanumeric passwords are numbered, their demise driven by the fact that it's now child's play for criminals to steal the woefully simple personal codes most people use, and by the emergence of a fascinating array of alternatives.

Researchers have developed password pills that measure your body chemistry, keystroke biometrics that identify the way you use a keyboard, digital tattoos that stick to your skin and microchips for injecting under it.

Some of the measures might sound bizarre, but massive profits could be made with a viable substitute for keyboard characters. Matthew Warren, professor of information systems at Deakin University, expects passwords to fade out over the next decade.

"The biggest problem users face is the impact of malware and computer viruses," he said. "The most effective ones, keyloggers, are those that install in your computer, log everything you type on your keyboard and then send that information outside.

"Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered."

The risk of a computer being infected with password-grabbing malware is higher than many people realise. You may be a tiny needle in the internet's vast digital haystack, but statistically your chances of a malware attack are at least one in three.

Advertisement

The Kaspersky Lab cyber security company reports that 34.2 per cent of its 400 million users worldwide had at least one attack on their computers last year, and mobile phones are far from immune.

Another global security company, Symantec, noted in its 2015 internet security threat report that 17 per cent of all Android apps were actually malware in disguise, and that almost one million new pieces of malware are created every day.

Exactly how many of these nasty little intruders have keystroke monitoring capabilities is unknown, but one thing is clear. Even the longest and most complicated password is useless if it's sent to a criminal after you type it.

Endless hordes of fresh malware are discovering new platforms to feast on, and can embed so deeply into your computer's system that they are almost impossible to detect. They can attack from any direction, from websites, emails and even software updates from legitimate companies that have also been unknowingly hacked.

So what's the answer? Obviously keeping your computer's security software up to date is a given, whether it's Mac or otherwise, but Warren believes the growing number of mobiles with fingerprint readers points to a more permanent solution.

"The fact that users are becoming more comfortable with using biometric technology on their smartphones means, in theory, that they will be more comfortable when they log in with keyboards that also have those systems built in," he said.

Essentially your entire body becomes your authentication token.

Regina Dugan, Google

"That acceptance can lead to something called keystroke biometrics. The way you type is unique to yourself, and it monitors your keystroke profile. So if someone logs into your account and their keystrokes don't match your typing profile, it will ask you secret questions like, 'what's your mother's surname?"

The CSIRO's Data61 has created an "implicit authentication" system that also recognises the unique way each person touches and swipes the screen on their mobile devices, and is developing the technology to work with ATMs.

Turning your entire body into a password is another idea. Regina Dugan​, vice president of Google's advanced technology and projects group, unveiled a prototype password pill in 2013 that contains a tiny chip powered by stomach acid.

The pill emits an 18-bit ECG-like signal that Dugan says is detectable by computers and mobiles. "Essentially your entire body becomes your authentication token," she told a D11 tech conference. A US company called Proteus is already making the tablets, but for medical purposes only.

Jonathan LeBlanc​, head of developer advocacy at PayPal, sometimes gives a series of tech lectures titled 'Kill the Password', and has told the Wall Street Journalthat PayPal is working with companies creating scans of the veins in your hands and arms, and bands that recognise your unique heartbeat.

A company called VivaLnk has released flexible waterproof digital tattoos that it says can store passwords for smartphones and make cashless payments. Each tattoo lasts for about five days and costs around $10 for a pack of 10.

You can even self-inject a password under your skin if you're not too squeamish. Kits with an RFID microchip and syringe – like those used for household pets and farm animals – are available in the US for $99 through a company called Dangerous Things. The kits are not tested by any regulatory agency and are sold "strictly at your own risk".

Dr Suelette Dreyfus​, a researcher in computing and information systems at the University of Melbourne who has written a book on hacking with WikiLeaks founder Julian Assange, says passwords will be needed for some time to come.

"Passwords are not entirely passé, there are still a lot of portals that need them," she says. "Doing them well doesn't mean having to change them every five minutes, but it's important to choose a very secure one.

"What you need to do is make the cost of guessing your password so high that the criminal hacker goes to the next person on their list. I would say that 12 random characters would be a pretty good number, although 15 is even better."

Trouble is, most people can't remember long and complicated passwords and seem resistant to using devices that automatically generate and store them. Perhaps the best advice came from Edward Snowden in a recent interview on US television.

"For someone who has a very common eight character password, it can literally take less than a second for a computer to go through the possibilities and pull that password out," he said. "The best advice is to shift your thinking from passwords to pass phrases. Think about a phrase that's too long to brute force and unlikely to be in the dictionary – like margaretthatcheris110%SEXY."